chore: enforce 7-day supply-chain cooldown on dependencies#87
Conversation
Hold newly published dependency versions for 7 days before they can be installed or proposed, so a malicious release has time to be detected and yanked. Applied at the package-manager and/or Dependabot layer. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
📝 WalkthroughWalkthroughTwo configuration files are updated to enforce a 7-day supply-chain cooldown. Changes7-day supply-chain cooldown policy
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.npmrc:
- Line 4: The `min-release-age=7` setting in the .npmrc file prevents npm from
installing security patches published within the last 7 days, blocking critical
security updates during `npm install` and `npm update` commands. To fix this,
configure `min-release-age-exclude` in the .npmrc file to exempt
security-critical packages from the policy, allowing recently published security
patches to be installed immediately while maintaining the 7-day window for other
dependencies. Alternatively, lower the `min-release-age` value for packages with
known vulnerability exposure to reduce the delay in applying security fixes.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 3e517b17-386d-440a-8697-3703bee90db5
📒 Files selected for processing (2)
.github/dependabot.yml.npmrc
| # Supply-chain cooldown: refuse versions published less than 7 days ago so a | ||
| # malicious release has time to be detected/yanked before install. npm has no | ||
| # per-package exclusion, so this applies to all deps. | ||
| min-release-age=7 |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
For npm CLI, does min-release-age apply uniformly to all installs/resolutions (including security patch versions), and is there any built-in exception mechanism for security updates?
💡 Result:
In the npm CLI (as of June 2026), the min-release-age configuration applies to all package installations and resolutions performed by commands that involve dependency resolution, such as npm install and npm update [1][2][3]. It does not natively distinguish between standard package updates and security patches, meaning it will block recently published security fixes if they fall within the configured "cooldown" period, resulting in an ETARGET error [4]. There are two primary ways to manage exceptions for this policy: 1. Explicit Bypass via Command-line Flag: You can override the configuration for specific commands by setting the flag to zero. For example, running npm install <package-name> --min-release-age=0 will bypass the cooldown period for that specific operation [5][4]. This is commonly used in automated workflows (such as Dependabot) to ensure critical security patches are installed immediately [4]. 2. Built-in Exclusion Mechanism: Recently, npm introduced the min-release-age-exclude configuration option [6]. This allows users to define a list of packages (supporting exact names or glob patterns, such as @myorg/*) that are exempt from the min-release-age policy [7][6]. This provides a structured way to allow trusted packages or internal libraries to bypass the age restriction consistently without needing to manually override the flag for every command [7]. Note that min-release-age does not affect npm ci, as that command installs packages verbatim from the lockfile without performing new resolution [3]. Additionally, due to how npm handles configuration flattening, min-release-age may appear as null when checked via npm config get if it has been converted into a before date for internal use [8][9].
Citations:
- 1: npm/cli@66d6e11
- 2: https://charpeni.com/blog/protecting-against-compromised-packages-with-minimum-release-age
- 3: [Support]
min-release-agefornpm cinpm/cli#9281 - 4: Pass
--min-release-age=0for npm security updates to bypass.npmrcdependabot/dependabot-core#15139 - 5: https://nodejs.org/learn/getting-started/security-best-practices
- 6: feat: add min-release-age-exclude config npm/cli#9534
- 7: feat: add min-release-age-exclude with glob pattern support npm/cli#9175
- 8: fix(config): preserve min-release-age after flattening npm/cli#9285
- 9: [BUG]
min-release-agenot shown bynpm config lsnpm/cli#9199
min-release-age=7 blocks security patches during npm install/npm update even when Dependabot overrides it per-PR.
min-release-age applies globally to resolution-based commands and does not distinguish between security patches and standard updates. This means npm install and npm update will reject recently published security fixes within the 7-day window, resulting in an ETARGET error—delaying critical patches. (npm ci itself is unaffected as it uses the lockfile without resolution.)
While Dependabot can override with --min-release-age=0 per-PR, consider using the min-release-age-exclude configuration option to exempt security-critical packages from the policy, or lower the window for packages with known vulnerability exposure.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.npmrc at line 4, The `min-release-age=7` setting in the .npmrc file
prevents npm from installing security patches published within the last 7 days,
blocking critical security updates during `npm install` and `npm update`
commands. To fix this, configure `min-release-age-exclude` in the .npmrc file to
exempt security-critical packages from the policy, allowing recently published
security patches to be installed immediately while maintaining the 7-day window
for other dependencies. Alternatively, lower the `min-release-age` value for
packages with known vulnerability exposure to reduce the delay in applying
security fixes.
1 participant
Supply-chain cooldown (7-day minimum release age)
Part of an org-wide rollout hardening get2knowio repos against supply-chain attacks. A newly published dependency version must age 7 days before it can be installed/resolved or proposed by Dependabot — giving time for a malicious release to be detected and yanked. Security updates are never delayed (Dependabot cooldown applies to version updates only).
Config schema verified against current official docs (not training data).
Changes
.npmrc) — created withmin-release-age=7.cooldown: { default-days: 7 }onnpm(excludes first-party@get2knowio/*) andgithub-actions.Note: this package is
@get2knowio/n8n-mcp; npm PM layer cannot exempt first-party (no exclusion key), but it has no self-dependency so this is moot.Summary by CodeRabbit